Grounding information security in healthcare

i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283

journa l homepage: www. int l .e lsev ierhea l th .com/ journa ls / i jmi

Grounding information security in healthcare

Ana Ferreiraa,c,d,∗, Luis Antunesb, David Chadwicka, Ricardo Correiac,d

a Computing Laboratory, University of Kent, CT2 7NF Canterbury, Kent, UKb Instituto de Telecomunicacões, Faculdade de Ciências da Universidade do Porto, 4169-007 Porto, Portugalc Biostatistics and Medical Informatics Department, Faculty of Medicine, Al. Prof. Hernâni Monteiro, 4200-319 Porto, Portugald CINTESIS – Center for research in health information Systems and technologies, Faculty of Medicine, Al. Prof. Hernâni Monteiro,4200-319 Porto, Portugal

a r t i c l e i n f o

Article history:

Received 7 July 2009

Received in revised form

19 January 2010

Accepted 19 January 2010

Keywords:

Information security

Access control

Access control policy

Electronic medical record

a b s t r a c t

Purpose: The objective of this paper is to show that grounded theory (GT), together with mixed

methods, can be used to involve healthcare professionals in the design and enhancement

of access control policies to Electronic Medical Record (EMR) systems.

Methods: The mixed methods applied for this research included, in this sequence, focus

groups (main qualitative method that used grounded theory for the data analysis) and

structured questionnaires (secondary quantitative method).

Results: Results showed that the presented methodology can be used to involve healthcare

professionals in the definition of access control policies to EMR systems and explore these

issues in a diversified and integrated way. The methodology allowed for the generation of

great amounts of data in the beginning of the study and in a short time span. Results from the

applied methodology revealed a first glimpse of the theories to be generated and integrated,

with future research, into access control policies.

Grounded theory

Mixed methods

Conclusions: The methodological research described in this paper is very rarely, if ever,

applied in developing security tools such as access control. Nevertheless, it can be an effec-

tive way of involving healthcare professionals in the definition and enhancement of access

control policies and in making information security more grounded into their workflows

and daily practices.

are given to the users. Authorisation can usually only occur

1. Introduction

Information security is usually defined by three main char-acteristics: confidentiality – the prevention of unauthoriseddisclosure of information; integrity – the prevention of unau-thorised modification of information; and availability – the
prevention of unauthorised withholding of information orresources [1,2].
∗ Corresponding author at: Computing Laboratory, University of Kent, Cfax: +44 1227 762811.

E-mail addresses: [email protected], [email protected] (A. Ferreira1386-5056/$ – see front matter © 2010 Elsevier Ireland Ltd. All rights resdoi:10.1016/j.ijmedinf.2010.01.009

© 2010 Elsevier Ireland Ltd. All rights reserved.

In order to access information within a system there areusually three steps: identification – where users say who theyare (e.g. with a unique username); authentication – whereusers prove they are who they say they are (e.g. using a pass-word or PIN number); and authorisation – where access rights

T2 7NF Canterbury, Kent, UK. Tel.: +44 1227 824180;

).

after the first two steps have been successfully completed,and it checks if users have all the required privileges to accessthe resources they requested. Access control is part of the

erved.

mailto:[email protected]

mailto:[email protected]

dx.doi.org/10.1016/j.ijmedinf.2010.01.009

a l i n

arbci

sgsetswi[aipo(chd

oftachbicsaUatwdtpmh

oiwtsid

oSgttaa

i n t e r n a t i o n a l j o u r n a l o f m e d i c

uthorisation process that checks if users may access theesources they asked for. So it focuses on the interactionetween users and technology, aiming to provide informationonfidentiality without compromising information availabil-ty.

The introduction of Electronic Medical Record (EMR)ystems within healthcare organizations has allowed the inte-ration of heterogeneous patient information that was usuallycattered over different locations [3,4]. EMR has become anssential source of information and an important supportool for healthcare professionals (HCPs). However, there areome barriers that prevent the effective integration of EMRithin the healthcare practice. These barriers can be grouped

n terms of: time/cost, relational issues and educational needs5,6]. Time and cost barriers include the cost of EMR integrationnd the time healthcare professionals need to spend learn-ng how to use the system. The relational barrier includes theerceptions that physicians and patients have about the usef EMR and how their relationship may be affected by its use

during a consultation, for example). The educational barrieromprises the lack of proficiency and difficulties that HCPsave in interacting with EMR systems in order to perform theiraily tasks [7].

HCPs do not usually participate in the design and devel-pment of EMR systems (specifically in the access controlunction), so they usually have to change their workflow pat-erns and adapt their procedures and processes in order toccess EMR systems within their practices [8]. This is veryhallenging as well as time and cost consuming [6]. Withinealthcare, access to sensitive information is usually requiredy different professionals (e.g. GPs, doctors, nurses, admin-strative personnel) so access control to EMR can be veryomplex and hard to define and implement properly, andhould start with the definition of structured and formalccess control policies as well as access control models [9].ltimately, access control is closely related to the definition ofsystem’s workflow, how the system is to be used and how

he tasks are to be performed. Access control policies defineho the actors of the system are and what they can access ando within the system. If access control in EMR can be closero healthcare professionals’ needs then some of the identifiedroblems can be minimised, helping to ensure that EMR can beore effectively implemented and used and provide for better

ealthcare [8].The objective of this paper is to show that grounded the-

ry (GT) – a methodology that is very rarely, if ever appliedn developing security tools such as access control – together

ith mixed methods, can be used to effectively involve HCPs inhe design and enhancement of access control policies for EMRystems. We could not find any published material describ-ng the application of GT or mixed methods in the process ofefining and improving access control for healthcare.

The next section presents the concept of grounded the-ry, mixed methods and their importance in this context;ection 3 describes the application and results of focusroups’ studies within this study while Section 4 presents
he same information regarding the application of struc-ured questionnaires. Section 5 discusses some of the resultsnd presents the lessons learned from applying the researchpproach described here. It also discusses the limitations and
f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283 269

areas of future research. Section 6 presents some concludingremarks.

2. Grounded theory and mixed methods

Grounded theory is a research approach that focuses on devel-oping theory from the qualitative analysis of data without anyparticular commitment at the outset to any specific kinds ofdata, lines of research or theoretical interests [10]. Insteadof identifying a data sample at the outset, GT involves theprocess of theoretical sampling of successive sites and datasources, selected to test or refine new ideas as they emergefrom the data. GT relies mainly on qualitative data acquiredthrough a variety of methods such as observation and unstruc-tured interviews in the initial stages and then more structuredforms of data collection as the study becomes more focused.GT is commonly used in social science research where socialscientists try to explore all aspects of human behaviour andenvironment. They re-examine the social world in order tobetter understand or explain why and how people behave[11]. Nevertheless, GT can also be applied in other areas ofresearch where there is a need to generate theory and ideasfrom research data [12].

2.1. GT in this study

Healthcare is a complex environment so it is important tounderstand and learn as much as possible about it by collect-ing qualitative data and generating theories from that data.From these theories it will be possible to formulate accesscontrol rules that can describe, closer to reality, users’ interac-tions with the EMR and then include these in the subsequentdesign and implementation of an access control model. GTis an appropriate approach for this study as it focuses onunderstanding healthcare professionals’ experiences, work-flows and behaviour as well as the social context during theimplementation and use of EMR.

2.2. Mixed methods in this study

The complementarity of mixed methods produces richer dataand provides different views and experiences for the subjectto be explored. GT is the most appropriate method to start thestudy, since it can generate various theories to be translatedinto access control rules that are closer to end users’ needs.The application of a smaller quantitative method afterwardswill guarantee that those theories will be either confirmedor confronted. The latter can be further analysed to assurethat the final data is the most accurate and closer to real-ity.

According to the priority-sequence model presented in Ref.[13] and the research objectives of this work we chose a smallerquantitative study – structured questionnaires – to evaluateand interpret the results from a larger qualitative study – focusgroups (QUAL → quant). The quantitative method provides a
means to expand on what was learned through the mainqualitative study. The classic use of this design is to explorethe generalisability or transferability of conclusions from thequalitative research. Even a small quantitative follow-up can

270 i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283

Table 1 – Description of each FG data collection.

FG Segmentation Date and time Recording Audio Video Moderators

FG1 Yes 11/01/2008 18 h:20 min 44 min:28 s Y N 2FG2 Yes 11/01/2008 19 h:20 min 37 min:22 s Y N 2

54

FG3 No 21/02/2008 19 h:00 minFG4 Yes 26/06/2008 19 h:00 min

typically cover a much larger sample or range of setting thanwere present in the initial, in-depth qualitative research [13].

3. Focus groups

Focus groups were chosen because they better adapt to theobjectives of this research – they are the most appropriatequalitative method when we need to assess different pro-fessionals’ views and experiences. They can generate largeamounts of qualitative information from only one discussionand in a relatively short period of time. It is difficult to per-form observation studies in a HCP’s working place because itis a very eclectic environment and it is not so easy to arrangein a short timescale. Structured questionnaires were chosen tocomplement the main qualitative study because they can beleft with the HCPs for them to fill out in their own time withoutcausing them too much stress or interfering with their busyschedules. The questionnaires can also further explore issuesthat came up during the focus groups’ discussions in order toeither complement or confront that data.

The main objective of focus groups (FGs) is to gather opin-ions and experiences related to specific topics. This is obtainedthrough sampling groups (6–8 people) of the required popula-tion, who meet to discuss a set of topics amongst themselves.The discussion can last on average from one to one and a halfhours, and is guided by a skilled moderator who records thediscussions. The data is first transcribed and then analysed ina qualitative manner.

3.1. Population

The selection of participants was made from the postgraduatestudents at the Faculty of Medicine of the University of Porto.Students were chosen from the following Master Courses:
Medical Informatics and Evidence and Decision in Health-care; and from the Doctoral Program Clinical and HealthcareServices Research. Both HCPs and informatics’ profession-als are enrolled on the Masters Courses, but only HCPs were
Table 2 – Healthcare institutions of the focus groups’ participan

FG University teaching hospital Hospital

FG1 1 2FG2 2 2FG3 1 3FG4 4 1

Total 8 8

a Organizations that integrate more than two hospitals.

4 min:44 s Y Y 10 min:16 s Y Y 1

selected and put into groups according to their professionalbackground. One of these groups, however, included HCPswith mixed backgrounds. The doctoral program enrols onlymedical doctors and so these comprised one of the groups.The reason for grouping participants according to profes-sional backgrounds (i.e. segmentation) facilitates discussionsbecause all the participants in a group have similar experi-ences and backgrounds, and are usually at the same level ofunderstanding [14].

The HCPs were contacted and selected at the beginning oftheir courses (during their first lectures). They were gatheredin a room without knowing that they were going to participatein a focus group or what the topic of the discussion was goingto be.

3.2. Line of discussion

The list below presents the line of discussion that was followedby the moderator:

1. The participants were given the main theme to discussand other information regarding the process that would befollowed during the course of the focus group.

2. Each participant was asked to give their consent to partic-ipate.

3. Each participant was initially asked to give details abouttheir profession and work location, as well as the use ofEMR within their practice.

4. After that they were all asked to discuss amongst them-selves:a. The use of paper records or EMR, what are the advan-

tages or disadvantages of each;b. access control issues in general;c. access control mechanisms they use on a daily basis

when accessing the system;
d. the problems and benefits of giving different access
roles to different groups of users;e. access control policies to EMR: who defines them, what

should be improved.

ts.

Hospital centrea Health centre Private clinic

111 1 14 1

6 3 1

a l i n

ot

3

Dwa


At the end of the discussion they were asked to give theirpinions about the best access control solutions they thinkhat should be used to control the access to EMR.

.3. Data collection and analysis

ata was collected by audio recording the whole conversationhile the conversations of the third and fourth group were

lso recorded with a video camera (Table 1).

Fig. 1 – Phases of data analys

f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283 271

Regarding data analysis, only one person was involved dur-ing the whole process. The discussions from each focus groupwere transcribed into four separate word documents. Eachdocument was then divided into smaller ones, containing onlythe dialogues belonging to each one of the participants, so that
the data could be more easily related to a specific participant.
All documents were inserted into the qualitative analysissoftware, QSR NVivo 7 [15], and the coding was done usingthis tool to register and structure data in a more automatic

is for the focus groups.


ach s
Fig. 2 – Results for e
way. The coding started after each focus group document wasgenerated and was done separately for each group.

Discussion topic, categories and sub-categories that weregenerated from each group were not only used in the cate-

tep of the analysis.

gorisation of subsequent group discussions but were also backcategorised to the previous ones (where applicable).

The data analysis was performed in four phases. In thefirst phase, codes were generated from the data itself (in

i n t e r n a t i o n a l j o u r n a l o f m e d i c a l i n f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283 273

Fig. 3 – Category/sub-category generation from the four FGs. FG1 are not marked; FG2 generated categories are in ( );FG3 generated categories are in ( ); FG4 generated categories are in ( ).


Table 3 – Most discussed categories in the four FGs (n = 26). TR: total number of references for the category; and PP: no ofdifferent people discussing the sub-category.

Main categories TR Most mentioned sub-categories PP

Access control 146Login-password 18Usage problems 18Share logins-passwords 16

Access control policies 125Problems with the policies 16Alterations and adaptations 12Participate in the policy definition and give opinion 14

Paper vs Digital records 100Problems with the digital records 11Problems with the paper records 10Types of use 10

Access control roles 99Problems of accessing useful information 11Access to only parts of the record 9Problems of accessing too much information 8

Access by patients 98Require HCPs support 9Illiteracy and ignorance 11Legislation and rights 11

Security 86Functionality problems 13Information protection problems 6General issues 8

Access control solutions 70Types of solutions 11Biometrics 11Fing

Req
Access in emergency situations 11
vivo coding), using a line-by-line coding strategy. These codescomprise the core ideas that were found within the text.Line-by-line coding helps to identify gaps, define actions andexplicate both actions and meanings and leads to develop-ing theoretical categories [16]. On a second phase, a morefocused and structured coding was done and codes started tofit and be grouped into categories. The third phase was basedon axial coding where relations between categories and sub-categories became more visible and so they were organized assuch. Phase 4 was customized and oriented to the objectives ofthis research and consisted in the generation of access controltheories that could be integrated in an access control policy,and further into an access control model in future research(Fig. 1).

Theoretical sampling was not incorporated in this studydue to time and resources constraints so the GT approachused in this study was applied to data analysis and not todata collection. Also, theories achieved within this study aresubstantive theories because they evolved from the study ofphenomenon from a particular situational context.

3.4. Results

Four groups were arranged with a total of 26 participants: onegroup with 4 nurses (FG1), one group with 5 health technicians(FG2) (3 radiologists, 1 pharmacist and 1 neurophysiologist),another group with 7 people from mixed backgrounds (FG3) (1doctor, 3 nurses and 3 health technicians) and the last group
with 10 medical doctors (FG4). Table 2 shows the type of insti-tutions they worked for.
Fig. 2 presents the results obtained from each step of theanalysis whilst Fig. 3 describes the categories/sub-categories

erprint 6

uires different access 4

that were generated from the qualitative data collected foreach focus group. The categories are sorted alphabetically andnewly generated categories from the different focus groups aremarked in a different colour. The eight core categories repre-sented in Fig. 3 (from step 7 of the analysis) are: access bypatients; access control; access control roles; access controlpolicies; access control solutions; access in emergency situa-tions; paper vs digital; and security.

From a closer analysis of the transcripts the most commonthemes in the discussions (generated in step 8 of the analysis)are presented in Table 3. Participants discuss those themesboth in negative or positive terms, this degree is categorisedaccordingly in the shown sub-categories (Fig. 3).

4. Structured questionnaires

These are questionnaires containing different sets of ques-tions, organized in a specific order. A sample of the populationis selected and the questions are applied either face to face orpeople are left to complete them in their own time. The ques-tionnaires can be oriented to focus on specific information.They can, for instance, be based on previously obtained infor-mation such as from focus group discussions, as they were inthis specific study.

The data is analysed quantitatively.

4.1. Construction of the questionnaire

Questions were constructed based directly on the categoriesand sub-categories resulting from the focus groups discussionand analysis (Table 4).


Table 4 – Mapping the questionnaire sections and questions to the generated categories/sub-categories within the focusgroups.

Question topic Related categories/sub-categories Questions

Generic EMR

• Usage problems {1,2,3,5}• Paper vs digital {4}• Security {6}• Access control policies {7,8,9}

Access control to EMR

• Access control {12,13}• Access control roles {14,15,16,17,18}• Define access control policies {19}• Access control solutions {10,11}

ess in

ess b

4

Qpt

Mthaihct

4

Dpa

4

Frmpwcae1ma

bcs1qtT4

22 respondents said they should, 3 said they should not whilst2 did not know. When asked which parts of the developmentthey ought to participate in, 21 said they would like to partici-pate in the conceptualization phase; 16 in the testing process;

Table 5 – Number of respondents for the question aboutEMR problems.

EMR problems No respondents

Required previous education ortraining

18

EMR allows sharing of sensitiveinformation

17

Access control can be a problem 15Required change in tasks HCPs

need to perform13

EMR allows distributed onlineaccess to potentially anyone

7

• Acc

ATM patients’ access • Acc

.2. Population

uestionnaires were tested and corrected with five differenteople from different backgrounds before they were appliedo the population in the study.

Healthcare professionals were approached at the Faculty ofedicine and the Faculty of Nutrition and Food Sciences from

he University of Porto. These professionals worked in variousealthcare institutions (e.g. Hospitals, Health Centres, Privatend Public Institutions and Laboratories) and were approachedn a random fashion at their working place during workingours. They were asked to answer the questionnaire and theyould either refuse to do it, do it immediately or do it later inheir own time.

.3. Data collection and analysis

ata was collected from the respondents, who were com-letely unaided in this. The data was subsequently analysednd summarised by the SPSS statistical program.

.4. Results

or the purpose of this study, 27 valid questionnaires wereeceived and analysed. Questionnaires were received from 12

edical doctors, 6 nurses and 9 healthcare professionals. 16articipants were female while 11 were male. 14 participantsorked in a hospital, 5 in a health centre, 4 in a private health-

are institution, 2 in an academic institution, 1 in a laboratorynd 1 in a public healthcare institution. In terms of academicducation, 23 respondents had a BSc and 4 had an MSc. Also,6 had some informatics’ proficiency, 7 had had some infor-atics’ education and 3 had had none (1 respondent did not

nswer this question).The questionnaire was divided into four parts and was

ased on the categories generated from the focus groups dis-ussions. The questionnaire was designed to further exploreome of the issues that are more relevant to this study. Partcontained 9 generic questions regarding EMR; Part 2 had 11uestions regarding access control to EMR; Part 3 had 4 ques-
ions about a fictitious scenario of patients using an Automaticeller Machine (ATM) to access their medical records; and Parthad 7 demographic questions (see Appendix A).
A summary of the obtained results is presented below.

emergency situations {20}y patients {21,22,23,24}

4.4.1. Results from Part 1The answers obtained from Part 1 of the questionnaire showedthat 21 HCPs had used EMR during the course of their workwhilst 6 respondents never had. All the results to the ques-tions that relate with the use of EMR focus only on those 21professionals. More generic questions take into account thetotal number of respondents (27).

Seventeen HCPs used the EMR daily or almost everydaywhilst three used EMR between 1 and 3 times per week, andone respondent did not know. The most common uses were:Data input 18; Consultation 15; Prescription 11; Emergency orIntensive Care Unit 8; Decision support 5. Twelve respondentsagreed that the EMR was very important for their work, eightthought it was indispensable while one respondent consid-ered that EMR was a necessary evil.

Although many of the participants accessed EMR on a dailybasis there were still many problems associated with its use,as shown in Table 5.

In response to the question about participating in thedevelopment of EMR, 22 respondents said they had never par-ticipated in this whilst 5 said they had. When asked if theythought HCPs should participate in the development of EMR,

They are not secure 6May affect doctor–patient

relationship5

Do not trust the system 5Wastes time of user 4

276 i n t e r n a t i o n a l j o u r n a l o f m e d i c a l

Table 6 – Issues regarding the use of login and passwordas authentication mechanisms.

Issues of login-password No of respondents

Accesses easily the system using a 15
login and a password
Shares the password with other users 4Forgets the password many times 2

15 in the implementation; 14 in the definition of access controlpolicies; and 2 did not know.

4.4.2. Results from Part 2The second set of questions focused on controlling access tothe EMR and 19 respondents said they logged in to the EMRwith a password, 4 of whom used passwords together withbiometrics. 1 respondent used biometrics alone, 1 did not useany kind of mechanism. The respondents were asked whatwere the most common issues when authenticating to theEMR with username and password were. Table 6 summarisesthe responses.

When asked about the time taken to access the EMR, 7respondents said that it took too long to access the EMR, whilst14 said it did not. When asked if they had any difficulties inaccessing the EMR, 11 said a few times, 5 said regularly, 4answered never whilst 1 respondent said many times.

The respondents were then asked various questions aboutaccess control roles: should different staff be given differentroles of access, did their systems support different roles ofaccess for different staff, and if so, were those the correctroles, and finally, did the respondent participate in the settingof those access roles. Thirteen respondents agreed with theexistence of different access control roles in general, whilst 12agreed with this but only for some of the information in EMR,and 2 participants thought all staff should have the same levelof access. Fifteen respondents said that their EMR had differ-ent access control roles, three said theirs did not support thisand three did not know. Further, eight respondents said theywere not the correct access roles while five said they were. Just1 of the respondents said to have participated in the definitionof the access control roles while 25 said they had not, and 1respondent did not have an opinion on the subject.

Table 7 presents the responses for the types of access con-trol roles that the participants think should be used togetherwith the systems they currently use on a regular basis.

Finally, the respondents were asked if HCPs should be
provided with access to patient information in emergency sit-uations, and if so, when was this justified. Nine respondentsanswered yes but only for those professionals participatingin the emergency care; eight answered yes depending on
Table 7 – What types of access control roles exist orshould exist.

Types of access control roledefined by

Shouldexist

Do exist

Professional category 19 13Type of information (±sensitive) 15 2The dept where the HCP works 11 6The patients themselves 4 0

i n f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283

the emergency situation; one participant answered yes foreverybody; one participant said yes as long as the HCP wasauthorised; another participant said yes for the team that isassisting the patient at that moment; two respondents saidyes but did not justify this; and four respondents said no (oneparticipant did not answer this question).

4.4.3. Results from Part 3Part 3 of the questionnaire related to a fictitious scenarioof patients accessing their own medical records via an ATMmachine. The majority of HCPs (17) did not agree with thismethod of access. When asked if ATMs were secure, 18 didnot think they were, although the vast majority of the respon-dents (25) often use ATMs to perform their banking operationson a regular basis (Table 8).

The main problems envisaged with this type of access topatients’ healthcare information were: it raises ethical ques-tions (13) and is not secure enough (13) (more than one optioncould be chosen).

5. Discussion

5.1. Interpretation of the results

The interpretation of the preliminary results was performedby relating them to the following four categories/sub-categories: usage problems, access control roles, accesscontrol policies and emergency access. We compared focusgroups’ results with the questionnaire results for the samecategories.

The focus groups’ results focused mostly on usability prob-lems and the sharing of logins and passwords. Exploring theseissues further, the questionnaires showed that most respon-dents required previous education and training and a changeto the working patterns in order to use the EMRs. This is some-thing that needs to be improved in the future, and on whichfurther research is needed. Also, they stated that the accesscontrols were not always well defined and a few said that theuse of EMRs may affect the doctor–patient relationship. Aboutthe sharing of logins and passwords, only a small percentagesaid they did it (confirming what came up within the FG dis-cussions) while the majority said they accessed the systemquite easily with this authentication mechanism. The abuseof logins and passwords by a few is still an issue that needs tobe further explored.

Regarding different access control roles (ACRs), focusgroups’ participants discussed how these usually had a largeeffect on how HCPs can access the EMR. Discussion focusedon the wrong definition of ACRs. Participants were concernedabout the problems of accessing too much or too little infor-mation, or which parts of the record to access. Exploring theseissues further, the questionnaires revealed that access rolesshould be more flexible and defined not only according to theprofessional category of the HCP, but also by the type of infor-mation being accessed and even by the department where the
HCP works. Just over half of the respondents said that theyuse EMR with ACRs but more than a half of them concludedthat the ACRs were not correctly defined. As expected, almostall of the respondents said they did not participate in the


Table 8 – Access to EMR via an ATM.

Yes No No opinion

Do you agree with the access to an EMR by the patients via an ATM? 6 17 4Is it a secure system? 7 18 2

dtThpntitlp

peaiantwtIiht

geiaaaeEosbjt[

cpdHwcwtr

How often do you use an ATM to perform banking operations?

efinition of ACRs. We conclude that ACRs need to be betterhought through and analysed when they are being defined.hey should depend on the environmental, cultural as well asuman characteristics of the system, as well as the tasks to beerformed and the place where the EMR is to be deployed. Weote that only a few HCPs mentioned that patients should alsoake part in the definition of the ACRs. This is another interest-ng issue to pursue as patients are now legally required to giveheir consent for HCPs to access their EMR. This may require aarge reformulation of existing EMRs, ACRs and access contrololicies that are currently being used.

Focusing on access control policies (APs), focus groups’articipants argued that they had many problems with thexisting policies because they are very difficult to alter ordapt. The participants had a strong interest in participatingn the definition of APs in the future as well as giving theirdvice to AP developers. A detailed analysis of the question-aires showed that HCPs would mainly like to participate inhe conceptualization phase of an EMR, whilst around halfould be happy to participate in the testing and implementa-

ion phases of the EMR, as well as in the definition of the APs.t is worth exploring why more HCPs did not want to partic-pate in the development of an EMR when it is obvious theyave so many problems in using them and adapting them toheir daily practices.

Concerning emergency access to EMRs by HCPs, focusroups’ participants raised the possibility of having a differ-nt type of access for these situations (i.e. different from whats stated in the policy for normal situations). A more detailednalysis of this issue with the questionnaires revealed thatvast majority of the respondents agree that HCPs must be

ble to access medical information in emergency situationsven if they were not the HCP normally treating the patient.mergency access may depend on the situation, location, typef emergency, time of access and so on. We propose that inuch unanticipated situations, a “Break the Glass” policy muste created so that HCPs can temporarily have a controlled,

ustifiable and monitored access to the required informa-ion, and this should be integrated within the existing AP17,18].

When asked about patients accessing their own medi-al records, focus groups’ participants mainly discussed thatatients had the right to do this, since it was stated in theata protection legislation, and they could not go against it.owever, many HCPs were worried that this could affect theirork as most patients are not ready to understand the medi-

al record and they might require the HCPs time to help themith it. To analyse this from a different perspective the ques-

ionnaires introduced the ATM scenario. More than half of theespondents said that accessing a medical record through an

Daily/everyday 1–3 times/week Never

4 21 1

ATM machine was not a good idea because it was not secureenough or raised ethical issues. It is worth exploring furtherwhy a vast majority of the respondents are willing to trust theirmoney to the ATM machines but not the EMR information. Fur-thermore, the ATM solution would also allow the patients toview their EMR information using help provided by the systemitself, without requiring the HCPs to spend time on this.

In summary, the results reflect the need for EMRs to comecloser to the HCPs, and for the APs to better mirror the HCPsworkflows and tasks. Further, there is a need to provide a moreflexible and adaptable AP to the EMR for both normal andunanticipated situations. The research method described inthis paper could be one way of getting more appropriate APs.

5.2. The methodology

Both studies were performed within the course of a year(between January 2008 and January 2009). The results showedthat the presented methodology can be used to effectivelyinvolve healthcare professionals in the definition of accesscontrol policies for EMR systems. The methodology allowedus to explore issues related to access control and users’ per-spectives and experiences in a diversified and integrated way;diversified because data was generated using different col-lection methods, with different goals, and integrated becauseboth methods were interconnected and complemented eachother in the way they were applied.

The methodology generated large amounts of data within ashort time span at the beginning of the study, and this allowedfor a more focused analysis of specific issues later.

There was a time period of four months between the firstthree and the last focus group. This had an impact mostly onthe performance of the last focus group because the analysisof the previous discussions generated more categories/sub-categories that could be also discussed and further exploredwithin the last focus group.

The use of grounded theory, together with mixed meth-ods, applied to information security (access control in thiscase) is an appropriate methodology for this research as ithelps in exploring healthcare professional’s daily workflows,experiences, perceptions, tasks and procedures while facili-tating and understanding how these may or may not affectaccess control and vice-versa. This knowledge is essential inorder to involve healthcare professionals in the definition andimprovement of access control policies to EMR. This method-ological approach allowed for the collection of richer data,
both contextual and statistical, so the access control issuescould be explored in a diversified and integrated way. Thus, itis possible to confront what happens in practice with whatshould happen in an ideal world. The generation of large

i c a l i n f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283

Summary pointsWhat was known before the study

• EMR have integration problems into existing work-flows

• Healthcare professionals do not participate in the EMRdesign, implementation process and access controlpolicy definition

• HCPs usually have workflow and education problemswhen using the EMR

What this study has added to the body of knowledge

• Grounded theory and mixed methods:◦ Can be used to involve healthcare professionals in

defining access control policies to EMR◦ Can be used to explore access control and users’

perspectives and experiences in a diversified andintegrated way

◦ Can help to adapt access control to healthcare pro-fessionals’ needs in terms of EMR workflows with agoal to minimise EMR integration barriers

◦ Can be used in similar research for the information

278 i n t e r n a t i o n a l j o u r n a l o f m e d

amounts of data over a short time period at the beginningof the study helped to get information about issues for whichthere is very little published information available, such as thecollaboration of users within the design and development ofaccess control systems in healthcare with the use of groundedtheory and mixed methods. It also helped to direct where fur-ther exploration was needed using a more focused analysis ofspecific issues.

The description of the methodology we applied and ourpreliminary results confirm why this methodology works wellfor this research topic. The preliminary results provide a firstglimpse of the theories that need to be generated and testedin future research about access control policies. Our firsthypothesis is that a new access control model is needed forsupporting HCPs who access EMRs.

5.3. Limitations

A limitation of this study is that the analysis of all the col-lected data was done by just one person, due to time and alsoknowledge constraints. In the areas of healthcare informaticsand information security there are not many experts with thecombined knowledge that would qualify them to collaboratein the coding and analysis processes.

Time constraints also limited the amount of flexibility wehad in arranging focus groups with the HCPs. It is very diffi-cult to setup meetings with healthcare professionals and putthem all together in the same room for at least 1 h, especiallywhen they have many variable and incompatible timetables.Setting the focus groups meetings at the time of their lectureswas a shortcut to hasten this process. To minimise the biasof this selection process, the focus groups’ discussions wereundertaken before any lectures whose content might haveinfluenced their thoughts and experiences about the subjectof discussion.

5.4. Further research

In our future research we plan to complement this study withthe application of observation studies as well as with the gen-eration of further theories and rules from a more prolongedsystematic analysis of the collected data. These rules will thenbe translated into access control policies that can be inte-grated into a more adaptable and flexible access control modelfor EMR than is available today. A similar research method-ology will be applied to patients so that their needs will beintegrated into the same model. Patients should benefit fromaccessing their medical information and taking more controland responsibility for their healthcare (i.e. patient empower-ment) [19]. Further, we would like to include generic issuesfrom the analysis of legislation and standards that relate toaccess control in the healthcare environment.

6. Conclusions

This research work shows that in order to be effective accesscontrol policies should be defined with the active collaborationof healthcare professionals. Our conclusion is based on theresults from our different studies which used GT and mixed

security domain

methods to gather information. Our results showed thatactively collaborating with healthcare professionals, accesscontrol and access control policies in healthcare can:

- be defined closer to end user needs and practices;- be integrated in a more natural manner within healthcare

professionals’ daily workflows;- reduce the barriers and problems that healthcare profes-

sionals face when learning how to use the system. Thisis because fewer alterations will be needed to their work-flows and less problems will come up when accessing theinformation they require to perform their job.

Although GT is commonly used in social and politicalresearch as well as in medicine and nursing, published mate-rial shows that it has never been applied in the domain ofaccess control to EMR (which integrates three different andcomplex domains: healthcare, informatics and security), andcertainly not in the same way that was applied and describedin this paper. The same methodology can also help withresearch that needs to focus on the interactions betweenhumans and technology and bridging this gap by bringingcloser together the users’ needs and the systems’ function-ality.

Even though information security is usually more related totechnological issues, security is mostly about people and pro-cesses. GT, together with mixed methods research can, in this
case, be one solution to involve healthcare professionals in thedefinition of access control policies to EMR in order to makeinformation security more grounded into their workflows anddaily practices.

a l i n

C

N

A

AstiPrmss


onflicts of interest

one declared.

uthors’ contributions

na Ferreira, the contact author for this paper, performed thetudies that are described here as well as the analysis of datahat was generated within them. She also had the idea of writ-ng this paper for which she envisaged the main structure.rofessor Luis Antunes, as the co-supervisor for this work,
evised the whole paper and helped the contact author to
ake the structure more meaningful and clearer and madeure the methodology was well applied and described. Profes-or David Chadwick, as the main supervisor of this work,

f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283 279

envisaged the methodology to be applied for this partic-ular study, revised the whole paper and helped to write itin a clearer and more correct way. Professor Ricardo Cruz-Correia helped in improving the abstract and discussion aswell as developing some of the data analysis performed forthe applied methodology.

Acknowledgements

The authors would like to thank the (ISC)2 Organization andthe Portuguese Calouste Gulbenkian Foundation for their sup-port.

Appendix A.


a l i n f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283 281


r

[17] A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E.


e f e r e n c e s

[1] D. Gollman, Computer Security, 1st ed., John Wiley & Sons,1999.

[2] S. Harris, CISSP All-in-One Exam Guide, 2nd ed.,McGraw-Hill Osborne Media, 2003.

[3] C. Waegemann, EHR vs. CPR vs. EMR, Healthcare Informaticsonline, May 2003.

[4] R. Cruz-Correia, P. Vieira-Marques, P. Costa, A. Ferreira, E.Oliveira-Palhares, F. Araújo, et al., Integration of hospitaldata using agent technologies—a case study,AICommunications Special Issue of ECAI 18 (3) (2005)191–200.

[5] L. Sprague, Electronic health records: How close? How far togo? NHPF Issue Brief 29 (September (800)) (2004)1–17.

[6] R.H. Miller, I. Sim, Physicians’ use of electronic medicalrecords: barriers and solutions, Health Affairs (Millwood) 23(March–April (2)) (2004) 116–126.

[7] M.Y. Becker, P. Sewell, Cassandra: flexible trust management,applied to electronic health records, 2004, pp. 139–154.

[8] A. Ferreira, R. Cruz-Correia, L. Antunes, D. Chadwick, Accesscontrol: how can it improve patients’ healthcare? Studies inHealth Technology and Informatics, IOS Press 127 (2007)65–76.

[9] B. Blobel, Authorisation and access control for electronichealth record systems, International Journal of MedicalInformatics 73 (March 31 (3)) (2004) 251–257.

[10] A. Strauss, Qualitative Analysis for Social Scientists,Cambridge University Press, 1987.

[11] A.B. Marvasti, Qualitative Research in Sociology: anIntroduction, Sage, London, 2004.

[12] I. Dey, Grounded theory, in: The SAGE Handbook ofGrounded Theory, Sage, 2007.

[13] D.L. Morgan, Practical Strategies for Combining Qualitativeand Quantitative Methods: Applications to Health Research,Qualitative Health Research 8 (2) (1998) 362–376.

[14] D. Morgan, Focus groups, Annual Review of Sociology 22(1996) 129–152.

[15] NVIVO 7, QSR International, Available at:http://www.qsrinternational.com/ (accessed on the 13thApril 2009).

[16] K. Charmaz, Constructing Grounded Theory: A PracticalGuide through Qualitative Analysis, Sage Publications Ltd.,2006.

Oliveira-Palhares, D.W. Chadwick, A. Costa-Pereira, How tobreak access control in a controlled manner? in: Proceedingsof the 19th IEEE Symposium on Computer-Based MedicalSystems, 2006, pp. 847–851.

http://www.qsrinternational.com/

a l i n
[18] A. Ferreira, D. Chadwick, G. Zao, P. Farinha, R. Correia, R.Chilro, L. Antunes, How to securely break into RBAC: theBTG-RBAC model, Proceedings from 25th Annual ComputerSecurity Applications Conference – ACSAC2009, 2009,pp. 23–31.

f o r m a t i c s 7 9 ( 2 0 1 0 ) 268–283 283

[19] A. Ferreira, A. Correia, A. Silva, A. Corte, A. Pinto, A.Saavedra, A.L. Pereira, A.F. Pereira, R. Cruz-Correia, L.F.Antunes, Why facilitate patient access to medical records,Studies in Health Technology and Informatics, IOS Press 127(2007) 77–90.

Date post:	04-Sep-2016
Category:	Documents
Upload:	ana-ferreira
View:	217 times
Download:	1 times

Grounding information security in healthcare

Documents